[Jim]

Out of all the texts/books tat I've read, not one of them has talked about how attackers maintain their anonymity before compromising the system. They all talk about the different audit trails/logs that should be removed or alters, but not how they keep themselves from being identified in the early enumeration stages.

There's always a lot of talk about proxies, but I figured proxies were typically mediums for HTTP communication. If that's the case, then how does one, say, mask an Nmap scan, a dig, or even a banner grab on port 25? The first thing that comes to mind are Socks. From what I've read, Socks is complete encapsulation of TCP/IP communication. How does one interface a Nmap scan to use the socks or multiple socks as a buffer? Not to mention that it could sometimes take more work just finding open proxies/socks that aren't being used by 100 other people, and even then their integrity as anonymous can't be guaranteed.

So what's left? Is Tor capable or even suggested for these types of interactions (froma technical, not ethical standpoint)? Or is it easier for the attacker to use some type of homemade or open-source port redirection software, assuming it can encapsulate all traffic. But again I don't see how it interfaces will all the components used for enumeration or compromise. I know nmap has the -D option for decoy hosts, but I wonder how reliable it really is.

Am I thinking too much into it? lol.

Thanks in advance.

[skydance]

well nmap has another nice feature called idlescanning, check it out: hxxp://www.insecure.org/nmap/idlescan.html

[Jim]

skydance, on Jul 4 2005, 12:39 PM, said:

well nmap has another nice feature called idlescanning, check it out: hxxp://www.insecure.org/nmap/idlescan.html

<{POST_SNAPBACK}>

Thanks skydance. I tried that out, and it seems pretty efficient. Question. While the target server itself won't see the source of the scan, the "zombie" will, right?

[PuNkErX]

How do you find the zombies? is there a way to scan or anything like that/

[Jim]

PuNkErX, on Jul 4 2005, 07:07 PM, said:

How do you find the zombies?  is there a way to scan or anything like that/

<{POST_SNAPBACK}>

According to the article, the -sI option with the zombie host and target will attempt to scan using the first host as a zombie. It will tell you whether it's possible to use as a zombie or not. It also says that Windows boxes, Old Linux hosts, etcs were vulnerable. It took a handful of sites, but I eventually found one that worked.

[myth]

Quote

rt001:/media# proxychains nmap -sP 203.23.125.1-254
Proxy Chains ver 1.8 running nmap

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-05 13:57 CST
caught SIGINT signal, cleaning up

Proxy Chains

Quote

rt001:/media# cat /etc/proxychains.conf
# proxychains.conf  VER 1.8
#
#        HTTP, SOCKS4, SOCKS5 tunneling proxifier.
#

# The option below identifies how the ProxyList is treated.
# only one option should be uncommented at time,
# otherwise the last appearing option will be accepted
#
# Dynamic - Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# at least one proxy must be online to play in chain
# (dead proxies are skipped)
# otherwise ECONNREFUSED is returned to the app
#
# Strict - Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# all proxies must be online to play in chain
# otherwise ECONNREFUSED is returned to the app
#
# Random - Each connection will be done via single random proxy from the list
# this option is good for scans

#DynamicChain
#StrictChain
RandomChain


#Some timeouts in milliseconds
#
tcp_read_time_out 15000
tcp_connect_time_out 10000

[ProxyList]# ProxyList format
#      type  host  port [user pass]
#      (values separated by 'Tab')
#
#
#        Examples:
#
#            socks5    192.168.67.78  1080    lammer  secret
#            http              192.168.89.3            8080    justu  hidden
#              socks4  192.168.1.49            1080
#            http              192.168.39.93  8080
#
#
#      proxy types: http, socks4, socks5
#        ( auth types supported: "basic"-http  "user/pass"-socks )
#
#      the list below may be out of date, they all are public proxies
#http 192.115.8.xxx 80
#http 199.106.xxx.3 80
#http 195.8.0.xxx 80
#http 203.xxx.0.13 80

#socks4 80.xxx.146.16 1080
#socks4 211.xxx.10.133 1080
#socks4 194.165.xxx.34 1080
#socks4 201.11.xxx.xxx 1080
#socks4 202.83.xxx.xxx 1080

#socks5 61.182.xxx.183 1080
socks5 222.76.xxx.129 1080
#socks5 219.xxx.xxx.153 1080
#socks4 219.xxx.xxx.153 1080
#socks5 61.178.xxx.xxx 1080

Thats how i do it, use proxychains.... Sorry didnt put in a great answer, but the above examples are probably what your looking for...

[Jim]

So, you can use proxychains with ANY type of connection over TCP/IP? If that's the case, can anyone suggest a lightweight "tiny" socks proxy that can be use in conjunction with this, instead of relying on public proxies?

Edit: Actually I found 3proxy (http://www.security.nnov.ru/soft/3proxy/) and tinyproxy (http://tinyproxy.sourceforge.net/). Both open source, so I'm sure mechanisms like encryption/stealth could be implemented.

[skydance]

NavyIT: right, the zombie can see you.... about using socks thats ok as long as you controll the servers running socks and you make sure all logs and traces are erased.... using public proxies could be hazardous.

[blackened]

tried it with freecap but couldn't get it working
is there an other way running nmap through socks on windows?